Re: filtering in eigrp from Petr Lapukhov on 2009-09-07 (Ccielab archives 09/2009)

From: Petr Lapukhov <petr_at_internetworkexpert.com>
Date: Mon, 7 Sep 2009 13:34:23 -0700

Hey folks,

one thing that no one seems to have mentioned, is the one I personally
love very much. As you know, EIGRP checks for router-ID when accepting
external prefixes, in order to implement additional precaution against
potential routing loops. The router-ID in the external prefixes is the
one used by the redistributing router. Thus, this rule simply ensures
that the local device will not accept back its own redistributed
prefixes.

There is an evil way of using this, by manually setting router-ids for
two EIGRP routers the same. This will prevent both routers from
accepting each other's redistributed prefixes. This trick is very
similar to using BGP cluster-ID for BGP prefix filtering. Kind of odd,
but works. For more reading, check out the following link
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800949ab.shtml.

HTH,

-- 
Petr Lapukhov, petr_at_INE.com
CCIE #16379 (R&S/Security/SP/Voice)
Internetwork Expert, Inc.
http://www.INE.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
2009/9/7 Iwan Hoogendoorn <iwan_at_ipexpert.com>:
> By the way ...
>
> When you put in the passive command ... you can not create peers.
> This way there is no traffic possible at all -- a strange but still
> true kind of filtering ...
> I know a little childish ... but still filtering ;-)
>
>
> --
> Regards,
>
> Iwan Hoogendoorn
> CCIE #13084 (R&S / Security / SP)
> Sr. Support Engineer   IPexpert, Inc.
> URL: http://www.IPexpert.com
>
>
> On Mon, Sep 7, 2009 at 10:01 PM, Anthony Sequeira<asequeira_at_ine.com> wrote:
>> No apologies necessary - we all have it happen. :-)
>>
>> Thanks for the link by the way - that is the kind of document that Cisco
>> likes to compose Core Knowledge questions from!
>>
>> Warmest Regards,
>>
>> Anthony J. Sequeira, CCIE #15626
>> http://www.INE.com
>>
>> Test your Core Knowledge today!
>> Q: What is the IGMP version designed to work with PIM SSM?
>> A: Version 3
>> More Info:
>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtmcxacl.html
>>
>>
>> On Sep 7, 2009, at 3:58 PM, Iwan Hoogendoorn wrote:
>>
>>> Hi,
>>>
>>> Yes I was a little too quick with the passive interface comment ...
>>> I once read this document:
>>>
>>> http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080093f0a.shtml
>>>
>>> Where it was done with the distribute list ... but it got the
>>> information from the passive interface guide ...from the link ... so I
>>> was a little confused ;-)
>>> Sorry bout that fella's
>>>
>>> --
>>> Regards,
>>>
>>> Iwan Hoogendoorn
>>> CCIE #13084 (R&S / Security / SP)
>>> Sr. Support Engineer   IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>>>
>>> On Mon, Sep 7, 2009 at 9:36 PM, Anthony Sequeira<asequeira_at_ine.com> wrote:
>>>>
>>>> Yeah - Iwan needs to revisit the use of passive interface and EIGRP, or
>>>> let
>>>> us in on the secret here. :-)
>>>>
>>>> The behavior described below seems relevant for RIP v2, not EIGRP.
>>>>
>>>> Here are my foremost option ideas for EIGRP prefix filtering:
>>>>
>>>> EIGRP
>>>> Do Not Accept Prefixes   EIGRP
>>>> Option 1   offset-list
>>>> Option 2   distribute-list   can reference route-maps as well
>>>> Option 3   administrative distance
>>>> Option 4   metric maximum
>>>>
>>>> Warmest Regards,
>>>>
>>>> Anthony J. Sequeira, CCIE #15626
>>>> http://www.INE.com
>>>>
>>>> Test your Core Knowledge today!
>>>> Q: How many levels of nested policers is supported with MQC?
>>>> A: three
>>>> More Info:
>>>> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/hierpol.html
>>>>
>>>>
>>>> On Sep 7, 2009, at 2:09 PM, Mohamed El Henawy wrote:
>>>>
>>>>> Sorry for brining this thread out of the dead
>>>>>
>>>>> how can we use passive interface ...neighborship will go down
>>>>>
>>>>>
>>>>> ----- Original Message ----- From: "Iwan Hoogendoorn"
>>>>> <iwan_at_ipexpert.com>
>>>>> To: "Mark Matters" <markccie_at_gmail.com>
>>>>> Cc: "Cisco certification" <ccielab_at_groupstudy.com>
>>>>> Sent: Friday, August 21, 2009 7:15 PM
>>>>> Subject: Re: filtering in eigrp
>>>>>
>>>>>
>>>>>> Dear Mark,
>>>>>>
>>>>>> You can filter EIGRP in the ways you provided
>>>>>>
>>>>>> - distribute-list
>>>>>> - redistribution with a route-map that looks at al prefix-list and/or
>>>>>> an access-list or you can even tag the route
>>>>>> - do a summery route
>>>>>>
>>>>>> But you can also go for the passive-interface command.
>>>>>> This way you only can only receive routes from your EIGRP neighbour
>>>>>> but not send anytin at all ... which is a kind of filtering in the end
>>>>>> ;-)
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>>
>>>>>> Iwan Hoogendoorn
>>>>>> CCIE #13084 (R&S / Security / SP)
>>>>>> Sr. Support Engineer   IPexpert, Inc.
>>>>>> URL: http://www.IPexpert.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 21, 2009 at 5:57 PM, Mark Matters<markccie_at_gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> How many ways can I filter routes in EIGRP?
>>>>>>>
>>>>>>> distribute-list
>>>>>>> redistribute / route-map / acl / ip prefix
>>>>>>> summary
>>>>>>>
>>>>>>>
>>>>>>> Are there any other ways?
>>>>>>>
>>>>>>>
>>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________________________________
>>>>>>> Subscription information may be found at:
>>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>>
>>>>>> Iwan Hoogendoorn
>>>>>> CCIE #13084 (R&S / Security / SP)
>>>>>> Sr. Support Engineer   IPexpert, Inc.
>>>>>> URL: http://www.IPexpert.com
>>>>>>
>>>>>>
>>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>>
>>>>>> _______________________________________________________________________
>>>>>> Subscription information may be found at:
>>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> No virus found in this incoming message.
>>>>> Checked by AVG - www.avg.com
>>>>> Version: 8.5.409 / Virus Database: 270.13.63/2317 - Release Date:
>>>>> 08/21/09
>>>>> 06:04:00
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>> Iwan Hoogendoorn
>>> CCIE #13084 (R&S / Security / SP)
>>> Sr. Support Engineer   IPexpert, Inc.
>>> URL: http://www.IPexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Mon Sep 07 2009 - 13:34:23 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART